Cisco UCS Manager CLI Configuration Guide, Release 1.3(1)
Configuring Communication Services
Downloads: This chapterpdf (PDF - 550.0KB) The complete bookPDF (PDF - 4.5MB) | Feedback

Configuring Communication Services

Configuring Communication Services

This chapter includes the following sections:

Communication Services

You can use the following communication services to interface third-party applications with Cisco UCS:

Communication Service

Description

CIM XML

This service is disabled by default and is only available in read-only mode. The default port is 5988.

This common information model is one of the standards defined by the Distributed Management Task Force.

HTTP

This service is enabled on port 80 by default.

You must enable either HTTP or HTTPS to run Cisco UCS Manager GUI. If you select HTTP, all data is exchanged in clear text mode.

For security purposes, we recommend that you enable HTTPS and disable HTTP.

HTTPS

This service is enabled on port 443 by default.

You must enable either HTTP or HTTPS to run Cisco UCS Manager GUI. If you select HTTPS, all data is exchanged in encrypted mode through a secure server.

For security purposes, we recommend that you enable HTTPS and disable HTTP.

SMASH CLP

This service is enabled for read-only access and supports a limited subset of the protocols, such as the show command. You cannot disable it.

This shell service is one of the standards defined by the Distributed Management Task Force.

SNMP

This service is disabled by default. If enabled, the default port is 161. You must configure the community and at least one SNMP trap.

Enable this service only if your system includes integration with an SNMP server.

SSH

This service is enabled on port 22. You cannot disable it, nor can you change the default port.

This service provides access to the Cisco UCS Manager CLI.

Telnet

This service is disabled by default.

This service provides access to the Cisco UCS Manager CLI.

Configuring CIM XML

Procedure
  Command or Action Purpose
Step 1 UCS-A# scope system  

Enters system mode.

 
Step 2 UCS-A /system # scope services  

Enters system services mode.

 
Step 3 UCS-A /system/services # enable cimxml  

Enables the CIM XLM service.

 
Step 4 UCS-A /system/services # set cimxml port port-num  

Specifies the port to be used for the CIM XML connection.

 
Step 5 UCS-A /system/services # commit-buffer  

Commits the transaction to the system configuration.

 

The following example enables CIM XML, sets the port number to 5988, and commits the transaction:

UCS-A# scope system
UCS-A /system # scope services
UCS-A /system/services # enable cimxml
UCS-A /system/services* # set cimxml port 5988
UCS-A /system/services* # commit-buffer
UCS-A /system/services #

Configuring HTTP

Procedure
  Command or Action Purpose
Step 1 UCS-A# scope system  

Enters system mode.

 
Step 2 UCS-A /system # scope services  

Enters system services mode.

 
Step 3 UCS-A /system/services # enable http  

Enables the HTTP service.

 
Step 4 UCS-A /system/services # set http port port-num  

Specifies the port to be used for the HTTP connection.

 
Step 5 UCS-A /system/services # commit-buffer  

Commits the transaction to the system configuration.

 

The following example enables HTTP, sets the port number to 80, and commits the transaction:

UCS-A# scope system
UCS-A /system # scope services
UCS-A /system/services # enable http
UCS-A /system/services* # set http port 80
UCS-A /system/services* # commit-buffer
UCS-A /system/services #

Configuring HTTPS

Certificates, Key Rings, and Trusted Points

HTTPS uses components of the Public Key Infrastructure (PKI) to establish secure communications between two devices, such as a client's browser and Cisco UCS Manager.

Encryption Keys and Key Rings

Each PKI device holds a pair of asymmetric Rivest-Shamir-Adleman (RSA) encryption keys, one kept private and one made public, stored in an internal key ring. A message encrypted with either key can be decrypted with the other key. To send an encrypted message, the sender encrypts the message with the receiver's public key, and the receiver decrypts the message using its own private key. A sender can also prove its ownership of a public key by encrypting (also called 'signing') a known message with its own private key. If a receiver can successfully decrypt the message using the public key in question, the sender's possession of the corresponding private key is proven. Encryption keys can vary in length, with typical lengths from 512 bits to 2048 bits. In general, a longer key is more secure than a shorter key. Cisco UCS Manager provides a default key ring with an initial 1024-bit key pair, and allows you to create additional key rings.

Certificates

To prepare for secure communications, two devices first exchange their digital certificates. A certificate is a file containing a device's public key along with signed information about the device's identity. To merely support encrypted communications, a device can generate its own key pair and its own self-signed certificate. When a remote user connects to a device that presents a self-signed certificate, the user has no easy method to verify the identity of the device, and the user's browser will initially display an authentication warning. By default, Cisco UCS Manager contains a built-in self-signed certificate containing the public key from the default key ring.

Trusted Points

To provide stronger authentication for Cisco UCS Manager, you can obtain and install a third-party certificate from a trusted source, or trusted point, that affirms the identity of your device. The third-party certificate is signed by the issuing trusted point, which can be a root certificate authority (CA) or an intermediate CA or trust anchor that is part of a trust chain that leads to a root CA. To obtain a new certificate, you must generate a certificate request through Cisco UCS Manager and submit the request to a trusted point.

Creating a Key Ring

Procedure
  Command or Action Purpose
Step 1 UCS-A# scope security  

Enters security mode.

 
Step 2 UCS-A /security # create keyring keyring-name  

Creates and names the key ring.

 
Step 3 UCS-A /security/keyring # set modulus {mod1024 | mod1536 | mod2048 | mod512}  

Sets the SSL key length in bits.

 
Step 4 UCS-A /security/keyring # commit-buffer  

Commits the transaction.

 

The following example creates a keyring with a key size of 1024 bits:

UCS-A# scope security
UCS-A /security # create keyring kr220
UCS-A /security/keyring* # set modulus mod1024
UCS-A /security/keyring* # commit-buffer
UCS-A /security/keyring # 
What to Do Next

Create a certificate request for this key ring.

Creating a Certificate Request for a Key Ring

Procedure
  Command or Action Purpose
Step 1 UCS-A# scope security  

Enters security mode.

 
Step 2 UCS-A /security # scope keyring keyring-name  

Enters configuration mode for the key ring.

 
Step 3 UCS-A /security/keyring # create certreq {ip ip-address | subject-name name}  

Creates a certificate request using the IP address or name of the fabric interconnect. You are prompted to enter a password for the certificate request.

 
Step 4 UCS-A /security/keyring # commit-buffer  

Commits the transaction.

 
Step 5 UCS-A /security/keyring # show certreq 

Displays the certificate request, which you can copy and send to a trust anchor or certificate authority.

 

The following example creates and displays a certificate request for a key ring:

UCS-A# scope security
UCS-A /security # scope keyring kr220
UCS-A /security/keyring # create certreq ip 192.168.200.123 subject-name sjc04
Certificate request password: 
Confirm certificate request password:
UCS-A /security/keyring* # commit-buffer
UCS-A /security/keyring # show certreq
Certificate request subject name: sjc04
Certificate request ip address: 192.168.200.123
Request:
-----BEGIN CERTIFICATE REQUEST-----
MIIBfTCB5wIBADARMQ8wDQYDVQQDEwZzYW1jMDQwgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBALpKn1t8qMZO4UGqILKFXQQc2c8b/vW2rnRF8OPhKbhghLA1YZ1F
JqcYEG5Yl1+vgohLBTd45s0GC8m4RTLJWHo4SwccAUXQ5Zngf45YtX1WsylwUWV4
0re/zgTk/WCd56RfOBvWR2Dtztu2pGA14sd761zLxt29K7R8mzj6CAUVAgMBAAGg
LTArBgkqhkiG9w0BCQ4xHjAcMBoGA1UdEQEB/wQQMA6CBnNhbWMwNIcECsEiXjAN
BgkqhkiG9w0BAQQFAAOBgQCsxN0qUHYGFoQw56RwQueLTNPnrndqUwuZHUO03Teg
nhsyu4satpyiPqVV9viKZ+spvc6x5PWIcTWgHhH8BimOb/0OKuG8kwfIGGsEDlAv
TTYvUP+BZ9OFiPbRIA718S+V8ndXr1HejiQGxlDNqoN+odCXPc5kjoXD0lZTL09H
BA==
-----END CERTIFICATE REQUEST-----

UCS-A /security/keyring # 
What to Do Next


  • Copy the text of the certificate request, including the BEGIN and END lines, and save it in a file. Send the file with the certificate request to a trust anchor or certificate authority to obtain a certificate for the key ring.

  • Create a trusted point and set the certificate chain for the certificate of trust received from the trust anchor.

Creating a Trusted Point

Procedure
  Command or Action Purpose
Step 1 UCS-A# scope security  

Enters security mode.

 
Step 2 UCS-A /security # create trustpoint name  

Creates and names a trusted point.

 
Step 3 UCS-A /security/trustpoint # set certchain certchain  

Specifies certificate information for this trusted point.

If you do not specify certificate information in the command, you are prompted to enter a certificate or a list of trustpoints defining a certification path to the root certificate authority (CA). On the next line following your input, type ENDOFBUF to finish.

 
Step 4 UCS-A /security/trustpoint # commit-buffer  

Commits the transaction.

 

The following example creates a trusted point and provides a certificate for the trusted point:

UCS-A# scope security
UCS-A /security # create trustpoint tPoint10
UCS-A /security/trustpoint* # set certchain 
Enter lines one at a time. Enter ENDOFBUF to finish. Press ^C to abort.
Trustpoint Certificate Chain:
> -----BEGIN CERTIFICATE-----
> MIIDMDCCApmgAwIBAgIBADANBgkqhkiG9w0BAQQFADB0MQswCQYDVQQGEwJVUzEL
> BxMMU2FuIEpvc2UsIENBMRUwEwYDVQQKEwxFeGFtcGxlIEluYy4xEzARBgNVBAsT
> ClRlc3QgR3JvdXAxGTAXBgNVBAMTEHRlc3QuZXhhbXBsZS5jb20xHzAdBgkqhkiG
> 9w0BCQEWEHVzZXJAZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
> AoGBAMZw4nTepNIDhVzb0j7Z2Je4xAG56zmSHRMQeOGHemdh66u2/XAoLx7YCcYU
> ZgAMivyCsKgb/6CjQtsofvtrmC/eAehuK3/SINv7wd6Vv2pBt6ZpXgD4VBNKONDl
> GMbkPayVlQjbG4MD2dx2+H8EH3LMtdZrgKvPxPTE+bF5wZVNAgMBAAGgJTAjBgkq
> hkiG9w0BCQcxFhMUQSBjaGFsbGVuZ2UgcGFzc3dvcmQwDQYJKoZIhvcNAQEFBQAD
> gYEAG61CaJoJaVMhzCl903O6Mg51zq1zXcz75+VFj2I6rH9asckCld3mkOVx5gJU
> Ptt5CVQpNgNLdvbDPSsXretysOhqHmp9+CLv8FDuy1CDYfuaLtvlWvfhevskV0j6
> jtcEMyZ+f7+3yh421ido3nO4MIGeBgNVHSMEgZYwgZOAFLlNjtcEMyZ+f7+3yh42
> 1ido3nO4oXikdjB0MQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFDASBgNVBAcT
> C1NhbnRhIENsYXJhMRswGQYDVQQKExJOdW92YSBTeXN0ZW1zIEluYy4xFDASBgNV
> BAsTC0VuZ2luZWVyaW5nMQ8wDQYDVQQDEwZ0ZXN0Q0GCAQAwDAYDVR0TBAUwAwEB
> /zANBgkqhkiG9w0BAQQFAAOBgQAhWaRwXNR6B4g6Lsnr+fptHv+WVhB5fKqGQqXc
> wR4pYiO4z42/j9Ijenh75tCKMhW51az8copP1EBmOcyuhf5C6vasrenn1ddkkYt4
> PR0vxGc40whuiozBolesmsmjBbedUCwQgdFDWhDIZJwK5+N3x/kfa2EHU6id1avt
> 4YL5Jg==
> -----END CERTIFICATE-----
> ENDOFBUF
UCS-A /security/trustpoint* # commit-buffer
UCS-A /security/trustpoint # 
What to Do Next

Obtain a key ring certificate from the trust anchor or certificate authority and import it into the key ring.

Importing a Certificate into a Key Ring

Before You Begin
  • Obtain a key ring certificate from a trust anchor or certificate authority.

  • A trusted point must be configured that contains the certificate chain for the key ring certificate.


Procedure
  Command or Action Purpose
Step 1 UCS-A# scope security  

Enters security mode.

 
Step 2 UCS-A /security # scope keyring keyring-name  

Enters configuration mode for the key ring that will receive the certificate.

 
Step 3 UCS-A /security/keyring # set trustpoint name  

Specifies the trusted point for the trust anchor or certificate authority from which the key ring certificate was obtained.

 
Step 4 UCS-A /security/keyring # set cert  

Launches a dialog for entering and uploading the key ring certificate.

At the prompt, paste the certificate text that you received from the trust anchor or certificate authority. On the next line following the certificate, type ENDOFBUF to complete the certificate input.

 
Step 5 UCS-A /security/keyring # commit-buffer  

Commits the transaction.

 

The following example specifies the trust point and imports a certificate into a key ring:

UCS-A# scope security
UCS-A /security # scope keyring kr220
UCS-A /security/keyring # set trustpoint tPoint10
UCS-A /security/keyring* # set cert
Enter lines one at a time. Enter ENDOFBUF to finish. Press ^C to abort.
Keyring certificate:
> -----BEGIN CERTIFICATE-----
> MIIB/zCCAWgCAQAwgZkxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UE
> BxMMU2FuIEpvc2UsIENBMRUwEwYDVQQKEwxFeGFtcGxlIEluYy4xEzARBgNVBAsT
> ClRlc3QgR3JvdXAxGTAXBgNVBAMTEHRlc3QuZXhhbXBsZS5jb20xHzAdBgkqhkiG
> 9w0BCQEWEHVzZXJAZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
> AoGBAMZw4nTepNIDhVzb0j7Z2Je4xAG56zmSHRMQeOGHemdh66u2/XAoLx7YCcYU
> ZgAMivyCsKgb/6CjQtsofvtrmC/eAehuK3/SINv7wd6Vv2pBt6ZpXgD4VBNKONDl
> GMbkPayVlQjbG4MD2dx2+H8EH3LMtdZrgKvPxPTE+bF5wZVNAgMBAAGgJTAjBgkq
> hkiG9w0BCQcxFhMUQSBjaGFsbGVuZ2UgcGFzc3dvcmQwDQYJKoZIhvcNAQEFBQAD
> gYEAG61CaJoJaVMhzCl903O6Mg51zq1zXcz75+VFj2I6rH9asckCld3mkOVx5gJU
> Ptt5CVQpNgNLdvbDPSsXretysOhqHmp9+CLv8FDuy1CDYfuaLtvlWvfhevskV0j6
> mK3Ku+YiORnv6DhxrOoqau8r/hyI/L43l7IPN1HhOi3oha4=
> -----END CERTIFICATE-----
> ENDOFBUF
UCS-A /security/keyring* # commit-buffer
UCS-A /security/keyring # 
What to Do Next

Configure your HTTPS service with the key ring.

Configuring HTTPS

Procedure
  Command or Action Purpose
Step 1 UCS-A# scope system  

Enters system mode.

 
Step 2 UCS-A /system # scope services  

Enters system services mode.

 
Step 3 UCS-A /system/services # enable https  

Enables the HTTPS service.

 
Step 4 UCS-A /system/services # set https port port-num  

Specifies the port to be used for the HTTPS connection.

 
Step 5 UCS-A /system/services # set https keyring keyring-name  

Specifies the name for the HTTPS keyring.

Caution   

When the HTTPS keyring is modified using the set https keyring command, all current HTTP and HTTPS sessions are closed without warning.

 
Step 6 UCS-A /system/services # commit-buffer  

Commits the transaction to the system configuration.

 

The following example enables HTTPS, sets the port number to 443, sets the key ring name to kring7984, and commits the transaction:

UCS-A# scope system
UCS-A /system # scope services
UCS-A /system/services # enable https
UCS-A /system/services* # set https port 443
UCS-A /system/services* # set https keyring kring7984
UCS-A /system/services* # commit-buffer
UCS-A /system/services #

Deleting a Key Ring

Procedure
  Command or Action Purpose
Step 1 UCS-A# scope security  

Enters security mode.

 
Step 2 UCS-A /security # delete keyring name  

Deletes the named key ring.

 
Step 3 UCS-A /security # commit-buffer  

Commits the transaction.

 

The following example deletes a key ring:

UCS-A# scope security
UCS-A /security # delete keyring key10
UCS-A /security* # commit-buffer
UCS-A /security # 

Deleting a Trusted Point

Procedure
  Command or Action Purpose
Step 1 UCS-A# scope security  

Enters security mode.

 
Step 2 UCS-A /security # delete trustpoint name  

Deletes the named trusted point.

 
Step 3 UCS-A /security # commit-buffer  

Commits the transaction.

 

The following example deletes a trusted point:

UCS-A# scope security
UCS-A /security # delete trustpoint tPoint10
UCS-A /security* # commit-buffer
UCS-A /security # 

Configuring SNMP

Enabling SNMP and Configuring an SNMP Community

SNMP messages from a Cisco UCS instance display the fabric interconnect name rather than the system name.

Procedure
  Command or Action Purpose
Step 1 UCS-A# scope monitoring  

Enters monitoring mode.

 
Step 2 UCS-A /monitoring # enable snmp  

Enables SNMP.

 
Step 3 UCS-A /monitoring # set snmp community community-name  

Specifies SNMP community. The community name can be any alphanumeric string up to 32 characters.

 
Step 4 UCS-A /monitoring # commit-buffer  

Commits the transaction to the system configuration.

 

The following example enables SNMP, configures an SNMP community named SnmpCommSystem2, and commits the transaction:

UCS-A# scope monitoring
UCS-A /monitoring # enable snmp
UCS-A /monitoring* # set snmp community SnmpCommSystem2
UCS-A /monitoring* # commit-buffer
UCS-A /monitoring #
What to Do Next

Create SNMP trap hosts and users.

Creating an SNMP Trap Host

Procedure
  Command or Action Purpose
Step 1 UCS-A# scope monitoring  

Enters monitoring mode.

 
Step 2 UCS-A /monitoring # enable snmp  

Enables SNMP.

 
Step 3 UCS-A /monitoring # create snmp-trap {hostname | ip-addr}  

Creates an SNMP trap host with the specified hostname or IP address.

 
Step 4 UCS-A /monitoring/snmp-trap # set community community-name  

Specifies the SNMP community name to be used for the SNMP trap.

 
Step 5 UCS-A /monitoring/snmp-trap # set port port-num  

Specifies the port to be used for the SNMP trap.

 
Step 6 UCS-A /monitoring/snmp-trap # commit-buffer  

Commits the transaction to the system configuration.

 

The following example enables SNMP, creates an SNMP trap, specifies that the trap will use the SnmpCommSystem2 community on port 2, and commits the transaction:

UCS-A# scope monitoring
UCS-A /monitoring # enable snmp
UCS-A /monitoring* # create snmp-trap 192.168.100.112
UCS-A /monitoring/snmp-trap* # set community SnmpCommSystem2
UCS-A /monitoring/snmp-trap* # set port 2
UCS-A /monitoring/snmp-trap* # commit-buffer
UCS-A /monitoring/snmp-trap #

Deleting an SNMP Trap Host

Procedure
  Command or Action Purpose
Step 1 UCS-A# scope monitoring  

Enters monitoring mode.

 
Step 2 UCS-A /monitoring # delete snmp-trap {hostname | ip-addr}  

Deletes the specified SNMP trap host with the specified hostname or IP address.

 
Step 3 UCS-A /monitoring # commit-buffer  

Commits the transaction to the system configuration.

 

The following example deletes the SNMP trap at IP address 192.168.100.112 and commits the transaction:

UCS-A# scope monitoring
UCS-A /monitoring # delete snmp-trap 192.168.100.112
UCS-A /monitoring* # commit-buffer
UCS-A /monitoring #

Creating an SNMPv3 User

Procedure
  Command or Action Purpose
Step 1 UCS-A# scope monitoring  

Enters monitoring mode.

 
Step 2 UCS-A /monitoring # enable snmp  

Enables SNMP.

 
Step 3 UCS-A /monitoring # create snmp-user user-name  

Creates the specified SNMPv3 user.

An SNMP user name cannot be the same as a local user name. Choose an SNMP user name that does not match a local user name.

 
Step 4 UCS-A /monitoring/snmp-user # set aes-128 {no | yes}  

Enables or disables the use of AES-128 encryption.

 
Step 5 UCS-A /monitoring/snmp-user # set auth {md5 | sha}  

Specifies the use of MD5 or DHA authentication.

 
Step 6 UCS-A /monitoring/snmp-user # set password  

Specifies the user password. After you enter the set password command, you are prompted to enter and confirm the password.

 
Step 7 UCS-A /monitoring/snmp-user # set priv-password  

Specifies the user privacy password. After you enter the set priv-password command, you are prompted to enter and confirm the privacy password.

 
Step 8 UCS-A /monitoring/snmp-user # commit-buffer  

Commits the transaction to the system configuration.

 

The following example enables SNMP, creates an SNMPv3 user named snmp-user14, disables AES-128 encryption, specifies the use of MD5 authentication, sets the password and privacy password, and commits the transaction:

UCS-A# scope monitoring
UCS-A /monitoring # enable snmp
UCS-A /monitoring* # create snmp-user snmp-user14
UCS-A /monitoring/snmp-user* # set aes-128 no
UCS-A /monitoring/snmp-user* # set auth md5
UCS-A /monitoring/snmp-user* # set password
Enter a password:
Confirm the password: 
UCS-A /monitoring/snmp-user* # set priv-password
Enter a password:
Confirm the password: 
UCS-A /monitoring/snmp-user* # commit-buffer
UCS-A /monitoring/snmp-user #

Deleting an SNMPv3 User

Procedure
  Command or Action Purpose
Step 1 UCS-A# scope monitoring  

Enters monitoring mode.

 
Step 2 UCS-A /monitoring # delete snmp-user user-name  

Deletes the specified SNMPv3 user.

 
Step 3 UCS-A /monitoring # commit-buffer  

Commits the transaction to the system configuration.

 

The following example deletes the SNMPv3 user named snmp-user14 and commits the transaction:

UCS-A# scope monitoring
UCS-A /monitoring # delete snmp-user snmp-user14
UCS-A /monitoring* # commit-buffer
UCS-A /monitoring #

Disabling SNMP

Procedure
  Command or Action Purpose
Step 1 UCS-A# scope monitoring  

Enters monitoring mode.

 
Step 2 UCS-A /monitoring # disable snmp  

Disables the SNMP service.

 
Step 3 UCS-A //monitoring # commit-buffer  

Commits the transaction to the system configuration.

 

The following example disables SNMP and commits the transaction:

UCS-A# scope monitoring
UCS-A /monitoring # disable snmp
UCS-A /monitoring* # commit-buffer
UCS-A /monitoring #

Configuring Telnet

Procedure
  Command or Action Purpose
Step 1 UCS-A# scope system  

Enters system mode.

 
Step 2 UCS-A /system # scope services  

Enters system services mode.

 
Step 3 UCS-A /services # enable telnet-server  

Enables the Telnet service.

 
Step 4 UCS-A /services # commit-buffer  

Commits the transaction to the system configuration.

 

The following example enables Telnet and commits the transaction:

UCS-A# scope system
UCS-A /system # scope services
UCS-A /services # enable telnet-server
UCS-A /services* # commit-buffer
UCS-A /services #

Disabling Communication Services

Procedure
  Command or Action Purpose
Step 1 UCS-A# scope system  

Enters system mode.

 
Step 2 UCS-A /system # scope services  

Enters system services mode.

 
Step 3 UCS-A /system/services # disable service-name  

Disables the specified service, where the service-name argument is one of the following keywords:


  • cimxml—Disables CIM XML service

  • http—Disables HTTP service

  • https—Disables HTTPS service

  • telnet-server—Disables Telnet service

 
Step 4 UCS-A /system/services # commit-buffer  

Commits the transaction to the system configuration.

 

The following example disables CIM XML and commits the transaction:

UCS-A# scope system
UCS-A# scope services
UCS-A /system/services # disable cimxml
UCS-A /system/services* # commit-buffer
UCS-A /system/services #